Skip to main content

  • Nation-state threat actors, especially from China, Iran and Russia, are likely to continue conducting cyberespionage campaigns against ports and shipping firms in the coming years
  • In recent months, diplomatic and military tensions seem to have driven heightened state-linked cyber threat activity against the maritime sector
  • But financially motivated ransomware groups still probably pose the most disruptive cyber threat for now

Financially-motivated ransomware groups will probably pose the most pressing and disruptive cyber threat to port and maritime operations over the coming years. These groups seem to view such infrastructure as an attractive and lucrative target. This is because cyber attacks have previously disrupted cargo operations for up to several days, allowing cybercriminals to pressure companies into paying ransoms. Ageing IT systems and increased digitalisation of operations seem to be heightening the maritime sector’s vulnerability to such operations.

Diplomatic and military tensions, along with commercial interests, are also very probably driving cyber threats to the sector. This seems to be informing the targeting choices of nation-states, especially China, Iran and Russia. For instance, the US cybersecurity agency said in May that Russia was spying on Western shipping firms to gather information on aid to Ukraine. And in July, a report from a NATO-linked entity said such maritime facilities face ‘unprecedented’ threats from state-linked actors. The strategic value of this sector will probably continue to encourage state-backed espionage.

Ransomware still poses greatest cyber threat to ports and shipping 

The main cyber threat to the maritime sector will probably still stem from ransomware groups over the coming years. While cybercriminals tend to be opportunistic in their targeting, the high volume and value of cargo means that any disruption to operations is costly. A UK law firm cited by the BBC on 15 September said that the average cost of ransomware attacks on shipping firms is $3.2m. Companies tend not to disclose publicly if they comply with extortion demands, but a study of 22 ransomware attacks on the maritime sector last October found that most companies preferred to pay the ransom.

The US is likely to remain the primary target of such operations. US firms are the most-targeted globally by cybercriminals, according to multiple cybersecurity firms. Its maritime sector reportedly contributes nearly $2.9 trillion in GDP, according to data gathered by the American Association of Port Authorities. Other key targets seem to include Europe and Southeast Asia, probably due to the presence of major ports and shipping companies based there. The Norwegian Maritime Cyber Resilience Centre said in April that at least 45 such facilities were targeted with ransomware globally in 2024 (see map).

Most ransomware operations against the maritime industry are likely to result in short-lived operational delays. These typically impact IT systems but can also cause major disruption to operations. Last month, a cyberattack on Nigeria’s customs service disrupted cargo clearance operations at ports nationwide, according to the local press. And in a particularly high-profile incident in 2023, a ransomware attack on a logistics firm caused days-long cargo backlogs at several ports in Australia. Such delays are liable to create knock-on disruption to shipping and critical sectors, such as energy imports.

Underlying vulnerabilities in the sector

Many port and maritime facilities globally will probably remain vulnerable to cyberattacks over the coming years. This is due to the interconnectedness of IT systems with operational technology systems (responsible for physical functions such as crane controls) and, in many cases, ageing and unpatched systems. Port authorities globally appear to lack adequate cybersecurity standards. For instance, a consulting firm said in a report in July that ‘much of the cyber risk to the Maritime Transportation System stems from outdated operational technology’.

Some countries appear to be taking steps to improve the cybersecurity of such facilities, however. The Indonesian and US authorities notably held a cyber readiness exercise for the transport sector, including maritime, in Jakarta earlier this month. But based on our analysis of reported port security measures globally in recent months, many governments seem to focus more heavily on physical security than digital security.

Diplomatic and military tensions driving cyber threats

Geopolitical competition also seems to be driving the threat posed by state-backed hackers to maritime facilities. The NATO Cooperative Cyber Defence Centre of Excellence said in a report in July that ports face ‘unprecedented cybersecurity threats’ from state-linked actors. It added that ports in Europe and the Mediterranean face ‘a high frequency of cyber attacks’, many of which are linked to threat actors from China, Iran and Russia. This is probably driven by tensions between those countries and the West in recent years.

Espionage on strategic maritime interests 

Nation-state cyber actors will probably focus primarily on cyberespionage campaigns targeting the sector over the coming years. This is due to the importance of maritime and port assets in international trade and supply chains. Such operations rarely disrupt operations but allow countries to gain intelligence on commercial port operations or steal sensitive trade data. This is probably to gain a strategic or commercial advantage over rival countries.

China, the largest state-sponsor of cyberespionage globally, seems particularly intent on doing so. It has conducted intense campaigns against shipping companies before; last year, cybersecurity firm ESET said that Chinese state-backed hacking group Mustang Panda gained remote access to IT systems on European commercial vessels for five months before they were discovered (see B-GBL-26-06-24 for more).

We anticipate that Chinese cyberespionage groups will target infrastructure and firms in regions of particular commercial or military interest. This would include regions linked to Beijing’s Belt and Road initiative, such as the straits of Malacca, Hormuz, Bab-el-Mandeb and Palk.

Other nation-state linked groups also seem to be motivated to target the maritime sector. Cybersecurity firm Checkpoint said in March that SideWinder, an India-linked group, had recently ‘significantly intensified’ its intelligence-gathering campaigns against maritime and logistics organisations in Asia and Africa. And Russia has targeted the Western maritime sector as part of broader espionage campaigns to gather information on aid to Ukraine, according to the US in May.

A vessel of the Finnish Coast Guard (R) keeps watch on oil tanker Eagle S anchored near the Kilpilahti port in Porvoo, on the Gulf of Finland December 30, 2024. Cook Islands-registered ship Eagle S is suspected of the disruption of the Finland-Estonia electrical link Estlink 2 on December 25, 2024. Finnish police and Border Guard of Finland transferred the seized vessel closer to land on Saturday 28th to continue the investigation of damage caused to undersea cables. (Photo by Jussi Nukari / Lehtikuva / AFP) / Finland OUT (Photo by JUSSI NUKARI/Lehtikuva/AFP via Getty Images)